arpitjain099 opened a new pull request, #22260:
URL: https://github.com/apache/kafka/pull/22260
## Summary
- Add explicit `permissions` blocks to 12 workflows that previously relied
on default token scopes.
- Set read-only permissions (`contents: read`) for build/test and Docker
workflows.
- Add narrowly scoped write permissions only where workflow behavior
requires them:
- `actions: write` for workflow run approval automation
- `statuses: write` for commit status update workflows
## Why
This hardens `GITHUB_TOKEN` usage by making required scopes explicit and
minimizing privilege per workflow.
## Notes
- `ci.yml` is intentionally excluded in this PR because it invokes the
reusable `build.yml` workflow, which includes a trunk-only
`update-test-catalog` job that requires `contents: write`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
